Inside InfoSec Law

An Elkins PLC Blog on Information Security, Cybersecurity, and Privacy Law

How the FTC Regulates Reasonable Cybersecurity and Data Practices

, ,
0

When it comes to investigating company cybersecurity practices and protecting the privacy of consumers, there is no bigger government enforcer than the Federal Trade Commission (FTC). The FTC has authority under Section 5 of the Federal Trade Commission Act to investigate “unfair or deceptive acts or practices in or affecting commerce.” The FTC can investigate most businesses under this section, with the exception of nonprofit organizations and certain industries, such as federally regulated financial institutions and common carriers.

Over the years, the FTC has interpreted Section 5 to give them authority to investigate and bring enforcement actions against businesses that disclose personal information contrary to their publicly posted privacy policies and businesses that lose personal information entrusted to them by their customers because they did not have reasonable cybersecurity and other controls in place to protect such data. This interpretation was most recently affirmed in 2015 by the Federal Court of Appeals for the Third Circuit in a case concerning several cybersecurity attacks that resulted in a data breach of the Wyndham hotel network.

Currently, the FTC’s authority is being challenged in the Federal Court of Appeals for the Eleventh Circuit in the case LabMD, Inc. v. Federal Trade Commission. The FTC has alleged that LabMD was storing sensitive personal information insecurely. The case will turn on whether the FTC can bring enforcement actions for data practices where there is a significant risk of harm in potential unauthorized disclosures of consumer personal information, but no proof of actual injury to consumers. The court’s eventual decision in this case could have wide ranging implications for future FTC enforcement actions on cybersecurity practices.

It may be difficult for a business to determine what cybersecurity and data practices the FTC may or may not consider reasonable in the light of ever evolving technology and cyber treats. However, the FTC has publicly posted the information of all its enforcement actions and settlements on its website, which has formed a type of case law for reasonable cybersecurity practices. The FTC also has a number of relevant resources and articles posted on its websites that businesses can use in developing practices. The FTC also looks favorably on settled information security frameworks and practices, such as the NIST Cybersecurity Framework.

Disclaimer: The materials available at this web site are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this web site or any of the e-mail links contained within the site do not create an attorney-client relationship between the author or Elkins PLC and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

About Post Author

blogauthor

Geoffrey engages in a broad-ranging practice including real estate development, federal and state tax credits, partnership, corporate and securities matters, information security plans and cyber-security, information privacy, privacy policies, privacy compliance, as well as representation of non-profit entities. He is a co-author of the book "The Architecture of Cybersecurity" and a member of the Elkins, PLC Cybersecurity & Privacy Protection team. Geoffrey also holds a Certified Information Privacy Professional (CIPP/US) designation from the International Association of Privacy Professionals.

Leave a Reply